Competitive comparison

Network detection and response delivers the most comprehensive insight into hidden threats and empowers incident responders to act with confidence. Network traffic analysis is a core technology for detecting hidden threats, but there are several decision criteria that you should consider. Read our detailed comparisons to learn more.

Featured upcoming events

About Vectra

Vectra is the world leader in applying artificial intelligence to detect and respond to cyberattacks in cloud, data center and enterprise infrastructures in real time, while empowering security analysts to perform conclusive incident investigations and AI-assisted threat hunting.

Comprehensive cyberattack detection and response is mandatory in today’s hostile data environments, and the stakes have never been higher. No other company comes close to Vectra in proactively hunting down cyberattackers and reducing business risk.

Our core team consists of threat researchers, white hats, data scientists, network security engineers, and UI designers. We constantly push the boundaries of what's possible to drive the next generation of security.

Blog - article

Sorry, this blog post has not been posted yet. Come back and check again later!

The imminent threat against industrial control systems

By:

Chris Morales

November 30, 2017

The United States has not been the victim of a paralyzing cyber-attack on critical infrastructure like the one that occurred in the Ukraine in 2015. That attack disabled the Ukrainian power grid, leaving more than 700,000 people helpless.

But the United States has had its share of smaller attacks against critical infrastructure. Most of these attacks targeted industrial control systems (ICS) and the engineering personnel who have privileged access.

ICS can be a controller that tells a valve when to open or close. It can also control the distribution of power in an energy grid. These systems are used extensively in chemical processing, pulp and paper manufacturing, power generation, oil and gas processing and telecommunications. All are part of our critical infrastructure.

What are the risks?

At one time, ICS was thought to be impervious to cyber-attacks because the computers used to operate them did not access the internet and were separate from the corporate network.

This is no longer true. Systems and network administrators, third-party vendors, industrial system developers and integrators have different levels of internet access and ICS management access. And they have unwittingly created a way in for attackers. For example, an infected laptop can be brought in by a contractor, connect to the network and spread to the controlled ICS environment.

Even worse, the growing prevalence of IoT-connected industrial devices has dramatically increased the ICS attack surface. This was illustrated in a study known as Project SHINE (SHodan INtelligence Extraction). Based on intelligence gathered from the SHODAN search engine between April 2012 and January 2014, the study found over one million ICS devices were remotely accessible on the internet.

The connectivity and integration of traditional information technology with operational technology – IT/OT convergence – is increasing exponentially. The IoT and IT/OT convergence is accelerated by the speed of business and the implementation of AI to drive decisions in ICS environments. In addition, more ICS devices are running commercial operating systems, exposing ICS systems to a wider swath of known vulnerabilities.

There are three categories of documented attacks against critical infrastructure.

Intentional targeted attacks, such as gaining unauthorized access to computers inside the network, performing a denial-of-service attacks or spoofing.

Unintentional consequences or collateral damage from worms, viruses or control system failures.

Unintentional consequences caused by internal personnel or mechanisms. This includes the testing of inappropriate software on operational systems or unauthorized system configuration changes.

An intentional targeted attack requires detailed knowledge of the control system and supporting infrastructure. Unintentional consequences are however more common and are equally important to detect and stop. Unintended behaviors, such as those by operators doing routine work, can introduce risks, making them equally important to monitor.

ICS automation, process control, access control devices, system accounts, and asset information have tremendous value to cyber attackers. The ever-widening attack surface gives them many ways to access an ICS environment.

Attacks against high-value ICS targets are often part of a larger attack campaign perpetrated by skilled cyber criminals. These campaigns typically include the most common phases in an attack lifecycle, including:

Establishing a foothold inside organizations

Internal reconnaissance to find critical management systems

Compromise of administrative systems and accounts to move laterally

Remotely controlling the attack using hidden tunnels

Attack campaigns can happen over the course of months and they require security analysts to perform a significant amount of data analysis, correlation and research to identify threats and evidence of a cyber-attack.

Examples of attacks on critical infrastructure

Malware targets European energy company – In June 2016, malware – was discovered on the network of an European energy company that created a backdoor on targeted industrial control systems. The backdoor delivered a payload that was used to extract data from, or potentially shut down, the energy grid.

The Windows-based malware was designed to bypass traditional antivirus software and network firewalls, and there was a lack of internal network monitoring to detect the attacker behaviors after the infection occurred.

New York dam attack – In March 2016, the U.S. Justice Department claimed that Iran had attacked U.S. infrastructure by infiltrating the industrial controls of a dam in Rye Brook, N.Y. The attackers compromised the dam’s command-and-control system over a dial-up connection.

This is one of the first major attempts by a foreign government entity to commandeer U.S. critical infrastructure. Although the attack happened in 2013, it wasn’t reported or attributed until 2016. There was a lack of internal network visibility to detect the attack behaviors.

Ukraine power outage – In December 2015, a Ukrainian power company experienced an outage that impacted a large area, including the regional capital of Ivano-Frankivsk. Cyber attackers caused the outage by using malware to exploit the macros in Microsoft Excel documents. The initial intrusion occurred via spear phishing emails and the attackers continued undetected inside the network.

These attacks succeeded because there was a lack of situational awareness by employees and management. This is not surprising, given the increased use of automation and internet connectivity within the industrial control systems.

What can I do about ICS attacks?

In the latest 2017 SANS survey on Securing Industrial Control Systems, four out of 10 practitioners said they lack visibility into their networks. This lack of visibility is one of the primary impediments to securing ICS systems. Security teams need full knowledge of connected and interconnected assets, configurations, and the integrity of communications to successfully protect critical infrastructure.

This might be why 44% of respondents consider the top threat to their ICS to be adding to the network devices that can’t protect themselves. This was followed by accidental internal threats (43%), external threats from hacktivists or nation-states (40%) and ransomware (35%).

Manually monitoring network devices and system administrators presents a challenge to resource-constrained organizations who cannot hire a large security team. Large teams of security analysts must perform the manual analysis required to identify attacks or unapproved behaviors within an ICS-regulated environment.

It is crucial to have visibility inside the network that can adapt to the dynamics of growth and change. Organizations also need technology that automates the real-time analysis of communication, devices, administrators, and human behaviors on a converged network to detect intentional attacks or unintentional consequences.

About the author

Chris Morales

Christopher Morales is Head of Security Analytics at Vectra, where he advises and designs incident response and threat management programs for Fortune 500 enterprise clients. He has nearly two decades of information security experience in an array of cybersecurity consulting, sales, and research roles. Christopher is a widely respected expert on cybersecurity issues and technologies and has researched, written and presented numerous information security architecture programs and processes.